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About this guide 


Welcome to Qualys Cloud Platform and integration of Qualys Cloud Platform with Azure 
Sentinel! We'll help you get acquainted with the Qualys solutions for integrating Azure 
Sentinel with the Qualys Cloud Security Platform. 


About Qualys 


Qualys, Inc. (NASDAQ: QLYS) is a pioneer and leading provider of cloud-based security and 
compliance solutions. The Qualys Cloud Platform and its integrated apps help businesses 
simplify security operations and lower the cost of compliance by delivering critical 
security intelligence on demand and automating the full spectrum of auditing, 
compliance and protection for IT systems and web applications. 


Founded in 1999, Qualys has established strategic partnerships with leading managed 
service providers and consulting organizations including Accenture, BT, Cognizant 
Technology Solutions, Deutsche Telekom, Fujitsu, HCL, HP Enterprise, IBM, Infosys, NTT, 
Optiv, SecureWorks, Tata Communications, Verizon and Wipro. The company is also a 
founding member of the Cloud Security Alliance (CSA). For more information, please visit 
www.qualys.com 


Qualys Support 


Qualys is committed to providing you with the most thorough support. Through online 
documentation, telephone help, and direct email support, Qualys ensures that your 
questions will be answered in the fastest time possible. We support you 7 days a week, 
24 hours a day. Access support information at www.qualys.com/support/ 
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Introduction 


Welcome to Qualys Cloud Platform that brings you solutions for securing your Cloud IT 
Infrastructure as well as your traditional IT infrastructure. In this guide, we'll be talking 
about integrating Qualys findings with Microsoft Azure Sentinel that you can further use 
in security analytics of your entire enterprise. 


Qualys Integrated Security Platform 


With Qualys Cloud Platform you get a single view of your security and compliance - in real 
time. If you’re new to Qualys we recommend you to visit the Qualys Cloud Platform web 
page to know more about our cloud platform. 


CLOUD / CONTAINER 


@ ASSET MANAGEMENT @» IT SECURITY © COMPLIANCE © peared @ | WEB APP SECURITY 
Global AssetView - Vulnerability Management, Policy Compliance Cloud Inventory Web App Scanning 
It’s Free! Unlimited Assets Detection & Response - Most 
Popular 
p! Security Configuration Cloud Security Assessment Web App Firewall 
CyberSecurity Asset Assessment 
Management - New Threat Protection 


Container Security 
PCI Compliance 
Certificate Inventory Continuous Monitoring 


File Integrity Monitoring 
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Endpoint Detection & Questionnaire 
Response - New 
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Qualys Support for Azure Sentinel 


Azure Sentinel provides intelligent security analytics at cloud scale for entire enterprise. 
Azure Sentinel makes it easy to collect security data across entire hybrid organization 
from devices, to users, to apps, to servers on any cloud. 


You can now access Qualys vulnerability assessment findings in Azure Sentinel. The 
Azure Sentinel provides a comprehensive view of the high-priority security alerts and 
compliance status across their accounts. By integrating the findings from Qualys 
Vulnerability Management (VM/VMDR) with Azure Sentinel, you can get near real-time, 
up-to-date visibility of your security posture in Azure Sentinel console. These findings, 
gained by the correlation of Qualys information with other data in Azure Sentinel, allow 
customers to quickly detect risks and take rapid, automated remedial actions. 


Currently, we support findings from only VM/VMDR app in Azure Sentinel integration. 


Qualys Sensors 


Qualys sensors, a core service of the Qualys Cloud Platform, make it easy to extend your 
security throughout your global enterprise. These sensors are remotely deployable, 
centrally managed and self updating. They collect the data and automatically transmit it 
up to the Qualys Cloud Platform, which has the computing power to continuously analyze 
and correlate the information in order to help you identify threats and eliminate 
vulnerabilities. 


Virtual Scanner Appliances 
Remote scan across your networks - hosts and applications 


A Cloud Agents 
© Continuous security view and platform for additional securit 
k y P y 
E 
Azure Cloud Connectors 
Sync cloud instances and its metadata 
Internet Scanners 
Perimeter scan for edge facing IPs and URLs 


Web Application Firewalls 
Actively defend intrusions and secure applications 
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Pre-requisites 
These options must be enabled for your Qualys user account. 


- Ensure that you accept all the Qualys Terms and Conditions and reach out to the Qualys 
Support team for the integration process. 


Note: You can access integration API only after accepting Terms and Conditions 
provided by Qualys. 


- Qualys Applications: Vulnerability Management (VM/VMDR), Cloud Agent (CA). Ensure 
that you have executed scans and the scan reports (including vulnerability information) 
are available in your user account. 


- Qualys Sensors: Virtual Scanner Appliances or Cloud Agents, as required 
- Ensure API Access permission is enabled for the user account 
- Manager or Unit Manager role 


- Ensure that you have created Log Analytics Workspace on Azure Sentinel console. 


It’s easy to get started 


You might already be familiar with Qualys Cloud Suite, its features and user interface. If 
you're new to Qualys, we recommend these overview tutorials - it just takes a few 
minutes! 


Video Tutorials get you familiar with basics 


Vulnerability Management Detection and Response. (3 mins) 


Quick Steps: Integrating Azure Sentinel with Qualys 
Here's the user flow for integrating Qualys with Azure Sentinel. 


1 - Getting Started with Azure Sentinel Integration. 


2 - Getting started with Integration using APIs available to configure integration with 
Qualys Cloud Platform. 


3 - Configuring Insights on Azure Sentinel Console (Optional). 


Helpful resources Always up to date with the information you need 


From the Community 
Qualys Training | Free self paced classes, video series, online classes 


Qualys Documentation | Getting started guides, quick references, API docs 
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Getting Started with Azure Sentinel Integration 


You need to create a workspace on Azure Sentinel console to use this integration. Once 
you create a workspace, you can use the workspace details such as workspace Id and 
primary key during integration. We’ll walk you through the steps. 


We provide APIs (JSON) to fasten and simplify the integration process with Azure Sentinel. 
The integration process is a single step with Qualys using APIs: adding the Azure Sentinel 
integration. Once you add it, you can use it to fetch details, update the existing 
configuration of Azure Sentinel, or delete the Azure Sentinel integration as well. 


Add Azure Sentinel Integration 


Additional Optional API 


URL to the Qualys API Server 


Before you proceed with the APIs, you need to know the Qualys API Server. The Qualys API 
URL you should use for API requests depends on the Qualys platform where your account 
is located. 


Click here to identify your Qualys platform and get the API URL 


This documentation uses the API URL for Qualys US Platform 1 
(https://qualysapi.qualys.com) in sample API requests. If you’re on another platform, 
please replace this URL with the appropriate Qualys API Server and URL for your account. 


Add Azure Sentinel Integration 


<Qualys_API_URL>/qps/rest/2.0/add/integration/azure/sentinel/vm 
[POST] 


The first step towards the integration is creation of Azure Sentinel integration. To add the 
Azure Sentinel integration, you need to provide workspace Id, primary key in the API 
request body. The workspace Id and primary key can be obtained from Azure workspace 
that you create. You can specify other optional parameters (base category, minimum 
severity, etc) as per your requirement. 


Once you create the Azure Sentinel integration, the response provides an unique 
integration identifier (id) for the Azure Sentinel integration. 
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Input Parameters 


Parameter Description 

workspaceld={value} (Required) Provide the unique Id assigned to the workspace in 
Azure Sentinel. 

primaryKey={value} (Required) Provide the primary key Id assigned to the 
workspace in Azure Sentinel. 

name={value} (Required) Provide a unique name for the integration in the API 
request. The maximum length allowed for name is 50 
characters. 


baseCategory={IG|Potential| Category of the vulnerabilities fetched from Qualys (VM/VMDR 

Confirmed} app) to be posted on the Azure Sentinel. The valid values are 
IG, Confirmed, and Potential. 
By default, it is configured to Confirmed. In this case, only 
confirmed vulnerabilities are included. If you configure the 
baseCategory as Potential, both Potential and Confirmed 
vulnerabilities are included.If you configure the baseCategory 
as IG, all three categories: IG, Potential and Confirmed 
vulnerabilities are included. 


customLogName={value} Provide a unique name for the data collector APIs. You can 
identify the log details with the name you provide. If you do 
not provide a custom log name, we use 
QUALYS_SECURITY_VM_FINDINGS by default. 
Note: The custom log name can only contain letters, numbers, 
and underscore (_), and should not exceed 100 characters. 


minSeverity={value} The minimum severity level of the vulnerabilities fetched from 
Qualys (VM/VMDR app) to be posted on the Azure Sentinel. By 
default, it is configured to severity level 3 and above. For 
example, if you set the value to 1, all findings with severity 
level 1 to 5 are fetched and available on Azure Sentinel. 


resultSectionNeeded={true| Set this to true to include the result section in the response. If 

false} you want to exclude the result section, set this parameter to 
false. By default, the resultSectionNeeded parameter is 
configured to false. 


apiVersion={value} Azure Sentinel data collector API version. By default, 2016-04- 
01 API version is used. Click here for information on 
supported API versions. 


Add Azure Sentinel Integration 
API request: 


curl -u 'username:password' -X POST --header 'Content- 
Type:application/json' 
"https://qualysapi.qualys.com/qps/rest/2.0/add/integration/azure/sentinel 
/vm' --data '@integration.json' 


Note: “integration.json” contains the request POST data. 
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Request POST Data (integration.json): 
{ 


"workspaceId": "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX", 
"primaryKey": "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX 
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX", 
"minSeverity": 4, 
"baseCategory": "Potential", 
"customLogName": "QUALYS FINDINGS", 
"name": "Sample Integration", 
"resultSectionNeeded": false, 
"apiVersion": "2016-04-01" 

} 

JSON output: 

{ 

"ServiceResponse": { 
"data": [ 


"integrationId=68" 
l, 
“Count! a Ly 
"responseCode": "SUCCESS" 
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Additional Optional API 


Once you add Azure Sentinel Integration, you can use it to fetch details, update the 
existing configuration of Azure Sentinel, or delete the Azure Sentinel integration as 
well.You can use the following additional optional API to fetch details of the integration. 


Update Azure Sentinel Integration 
Get Details of the Azure Sentinel Integration 


Delete Azure Sentinel Integration Details 


Update Azure Sentinel Integration 


<Qualys_API_URL>/qps/rest/2.0/update/integration/azure/sentinel/{integrationId}/vm 
[PUT] 


Once you add the Azure Sentinel integration, you can update the name, minSeverity, 
baseCategory, resultSectionNeeded, apiVersion of the Azure Sentinel integration with 
Qualys. 
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Input Parameters 


Parameter 
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Description 


integrationId={value} 


Provide the unique Id assigned of Azure Sentinel integration. 


workspaceld={value} 


Provide the unique Id assigned to the workspace in Azure 
Sentinel. 


primaryKey={value} 


Provide the primary key Id assigned to the workspace in Azure 
Sentinel. 


name={value} 


Provide a unique name for the integration in the API request. 
The maximum length allowed for name is 50 characters. 


baseCategory={IG|Potential| 
Confirmed} 


Category of the vulnerabilities fetched from Qualys (VM/VMDR 
app) to be posted on the Azure Sentinel. The valid values are 
IG, Confirmed, and Potential. 

By default, it is configured to Confirmed. In this case, only 
confirmed vulnerabilities are included. If you configure the 
baseCategory as Potential, both Potential and Confirmed 
vulnerabilities are included.If you configure the baseCategory 
as IG, all three categories: IG, Potential and Confirmed 
vulnerabilities are included. 


customLogName={value} 


Provide a unique name for the data collector APIs. You can 
identify the log details with the name you provide. If you do 
not provide a custom log name, we use 
QUALYS_SECURITY_VM_FINDINGS by default. 

Note: The custom log name can only contain letters, numbers, 
and underscore (_), and should not exceed 100 characters. 


minSeverity={value} 


The minimum severity level of the vulnerabilities fetched from 
Qualys (VM/VMDR app) to be posted on the Azure Sentinel. By 
default, it is configured to severity level 3 and above. For 
example, if you set the value to 1, all findings with severity 
level 1 to 5 are fetched and available on Azure Sentinel. 


resultSectionNeeded={true| 
false} 


Set this to true to include the result section in the response. If 
you want to exclude the result section, set this parameter to 
false. By default, the resultSectionNeeded is configured to 
false. 


apiVersion={value} 


Azure Sentinel data collector API version. By default, 2016-04- 
01 version is used. Click here for information on supported 
API versions. 


Update Azure Sentinel Integration details. 


Let us now see an example to update the configuration details of the Azure Sentinel 
integration. Provide the configuration details to be updated in the PUT request. 


API request: 


curl -u 'username:password' -X PUT --header 'Content- 
Type:application/json' 
"https://qualysapi.qualys.com/qps/rest/2.0/update/integration/azure/senti 
nel/{integrationId}/vm' --data '@integration.json' 

Note: “integration.json” contains the request PUT data. 
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Request PUT Data (integration.json): 
{ 


"workspaceId": "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX", 
"primaryKey": "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX 
XXXXXXXXXXXXXXXXXXXXX", 
"minSeverity": 4, 
"baseCategory": "Potential", 
"customLogName": "CUSTOM LOG", 
"name": "Sample Name change", 
"resultSectionNeeded": false, 
"apiVersion": "2016-04-01" 
} 
JSON output: 


{ 
"ServiceResponse": { 
"data": [ 
"Azure Sentinel integration successfully updated." 


l; 
"responseCode": "SUCCESS", 
"count": 1 


} 


Get Details of the Azure Sentinel Integration 
<Qualys_API_URL>/qps/rest/2.0/get/integration/azure/sentinel/{integrationId}/vm [GET] 
<Qualys_API_URL>/qps/rest/2.0/get/integration/azure/sentinel/vm [GET] 


When you want to get details of a particular Azure Sentinel integration, you can fetch the 
configuration and integration details using the unique integration identifier (id) of the 
Azure Sentinel integration. You can fetch the configuration and integration details with or 
without the unique integration identifier (id) of the Azure Sentinel integration. 


Currently, you can only fetch details for the VM/VMDR app. 


Get integration details of the Azure Sentinel integration 
Let us now see an example to fetch the integration details of Azure Sentinel integration. 


API request: 


curl -u 'username:password' -X GET 
"https://qualysapi.qualys.com/qps/rest/2.0/get/integration/azure/sentinel 
/{integrationId}/vm' 

OR 


Note: If you are not aware of the integration ID, use the following request to fetch details 
without integration Id 


curl -u 'username:password' -X GET 
"https://qualysapi.qualys.com/qps/rest/2.0/get/integration/azure/sentinel 
/vm' 
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JSON output: 
{ 


"ServiceResponse": { 
"data": | 

"{integrationld=68, 
name='Sample Integration’, 
customerId=123456, 
customerUUID='a48£05df£-ff6f-704e-83ba-c0692b0ab64£9', 
workspaceld='XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX', 
minSeverity=3, 
baseCategory=I1G, 
customLogName='Test', 
apiVersion='2016-04-O01', 
resultSectionNeeded=true}" 


l, 
"counts 15 
"responseCode": "SUCCESS" 


Delete Azure Sentinel Integration Details 


<Qualys_API_URL>/qps/rest/2.0/delete/integration/azure/sentinel/{integrationId}/vm 
[DELETE] 


For an Azure Sentinel integration, you could delete the integration using the unique 
identifier associated with the integration. 


Delete the Azure Sentinel integration 
API request: 


curl -u 'username:password' -X DELETE 
"https://qualysapi.qualys.com/qps/rest/2.0/delete/integration/azure/senti 
nel/{integrationId}/vm ' 


where, integrationId is the unique integration identifier of the Azure Sentinel 


JSON output: 
{ 
"ServiceResponse": { 
"data": [ 
"Azure Sentinel integration successfully deleted." 

l, 

NeGunk ic Ly 

"responseCode": "SUCCESS" 
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Troubleshooting Tips 


Let us see scenarios that will help you debug the common issues. 


Scenario: Qualys Findings not visible in Qualys subscription 
Workaround: To view Qualys findings in your subscription ensure the following: 


- Qualys sensors are deployed on the endpoints 


- Vulnerability scans are conducted 


Scenario: Qualys Findings not visible on Azure Sentinel console 
Workaround: To view Qualys findings on Azure Sentinel console ensure the following: 


- Qualys sensors are deployed on the endpoints 
- Vulnerability assessment and findings are available in your Qualys subscription 


- Integration configuration with Qualys and Azure Sentinel console is complete 


For any such issues related to Azure Sentinel Integration with Qualys, reach out to Qualys 
Support. 
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